RE: many connections in proxy setup

Wed, 02 Jul 2025 23:55:44 -0700 

Suggestion: examine the connections you have; either like “netstat”, or the 
monitoring connection database.
Maybe you get an idea what kind of connections you have.

Kind regards,
Ulrich Windl

From: Bergmann, Clemens <clemens.bergm...@tu-darmstadt.de>
Sent: Tuesday, July 1, 2025 3:48 PM
To: openldap-technical@openldap.org
Subject: [EXT] many connections in proxy setup

Hi,

we have two openLDAP Servers configured with back_ldap. Each server has one 
non-OpenLDAP-Server as “target”.

I passed a redacted copy of my configuration below.

At any given time we have around 100 connections from clients to the openLDAP 
Server. I noticed that there are a lot more connections open from the ldap 
Server to the “target” Servers. Sometimes close to 1000. As this is a temporary 
setup I did not investigate any more. In the last days we sometimes see the 
following errors in log:
“daemon: accept(10) failed errno=24 (Too many open files)”
“connection_input: conn=1799 deferring operation: too many executing”
“connection_read(446): no connection!”

I suspect that this is because there are more than 1024 connections open and 
the OS is preventing opening more FDs.

I am not sure why we have so many open connections to the “target” servers.

Maybe someone can spot my config error.

Thanks in advance.

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcIdleTimeout: 15
olcLocalSSF: 256
olcLogLevel: none
olcPidFile: /var/lib/openldap/slapd.pid
olcRootDSE: /etc/openldap/rootDSE.ldif
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=256 ssf=256 tls=0
olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt
olcTLSCertificateFile: /etc/openldap/certs/server.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
olcTLSCipherSuite: DEFAULT:-SHA1:-CBC
olcTLSDHParamFile: /etc/openldap/dhparam.pem
olcTLSProtocolMin: 3.3

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcAccess: redacted
olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu-darmstadt 
credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbURI: ldaps://backend-server01.example.com/
olcRootDN: cn=admin,ou=admin,o=tu-darmstadt
olcSizeLimit: unlimited
olcSuffix: o=tu-darmstadt
olcTimeLimit: 90

Kind regards
Clemens (Bergmann)

--
Clemens Bergmann
[er/ihm; he/him]
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt
Tel. +49 6151 16 71184
http://www.hrz.tu-darmstadt.de/

Reply via email to